What Cyber Warfare Treaties Have Completely Failed to Address

International law has rules for war. The Geneva Conventions, the Hague Conventions, and centuries of custom govern armed conflict. Cyber warfare has none of that. There are no binding treaties. No clear definitions of what counts as an attack. No agreed rules of engagement. Nations hack each other, disrupt infrastructure, and steal data with little consequence. The treaties that exist—or that diplomats keep proposing—have failed to address the real problems. Here’s what they’ve missed.

The attribution problem

Cyber attacks are hard to attribute. A hack can be routed through servers in a dozen countries. Malware can mimic another nation’s tools. Proxies and contractors blur the line between state and non-state actors. When Russia hit Ukraine’s power grid, when North Korea stole cryptocurrency, when China exfiltrated defence data—attribution took months or never reached certainty. Treaties assume you can identify the attacker. In cyberspace, you often can’t.

No agreed definitions

What counts as a “cyber attack”? Is espionage an attack? Is ransomware? Is a DDoS that knocks a bank offline for an hour? International law distinguishes between espionage (often tolerated) and armed attack (which can trigger self-defence). In cyberspace, the line is blurry. A hack that steals data might not “damage” anything in the traditional sense. A hack that disrupts a hospital might. Treaties that don’t define these terms are useless. So far, no major treaty has.

Non-state actors

Most armed conflicts involve states. Cyber attacks often involve criminals, hacktivists, or contractors. A ransomware group might operate from a country that turns a blind eye. A hacktivist collective might have no fixed location. Treaties bind states. They don’t bind the groups that do much of the actual hacking. Holding states accountable for “their” hackers is possible in theory—but proving state sponsorship is hard, and enforcement is harder.

Asymmetry and deterrence

Nuclear deterrence works because retaliation is credible and devastating. Cyber deterrence is murky. A small country can inflict serious harm on a large one. Attribution is uncertain. Retaliation might escalate in unpredictable ways. Nations are hesitant to admit they’ve been attacked—it signals weakness—and equally hesitant to publicly retaliate. The result: lots of attacks, little accountability.

What treaties have tried

The Tallinn Manual, the UN Group of Governmental Experts, and various bilateral agreements have tried to establish norms: don’t attack hospitals, don’t disrupt elections, don’t target critical infrastructure during peacetime. Some nations have signed on. Few have been willing to enforce. When norms are violated, the response is usually sanctions or indictments—not collective action. The treaties exist on paper. They haven’t changed behaviour.

The bottom line

Cyber warfare treaties have failed because they haven’t solved attribution, definitions, or enforcement. Until those problems are addressed—and that may require technical and political breakthroughs we don’t yet have—cyberspace will remain a grey zone where nations hack with impunity.